Remove bedrock (#521)

* Updates for Liberty Web Server configuration

* Update mqwebexternal.xml.default

Author: sdmarshall79

Dockerfile-server

@@ -124,7 +124,7 @@ COPY ha/native-ha.ini.tpl /etc/mqm/native-ha.ini.tpl
 # Copy web XML files
 COPY web /etc/mqm/web
 COPY etc/mqm/*.tpl /etc/mqm/
-RUN ln -s /run/mqwebuser.xml /etc/mqm/web/installations/Installation1/servers/mqweb/mqwebuser.xml \
+RUN ln -s /run/mqwebexternal.xml /etc/mqm/web/installations/Installation1/servers/mqweb/mqwebexternal.xml \
   && ln -s /run/tls.xml /etc/mqm/web/installations/Installation1/servers/mqweb/tls.xml \
   && ln -s /run/jvm.options /etc/mqm/web/installations/Installation1/servers/mqweb/configDropins/defaults/jvm.options \
   && ln -s /run/15-tls.mqsc /etc/mqm/15-tls.mqsc \

cmd/runmqserver/main.go

@@ -172,11 +172,19 @@ func doMain() error {
 		return err
 	}
 
-	// Copy default mqwebuser.xml file to ephemeral volume
-	err = copy.CopyFile("/etc/mqm/web/installations/Installation1/servers/mqweb/mqwebuser.xml.default", "/run/mqwebuser.xml")
-	if err != nil {
-		logTermination(err)
-		return err
+	// Copy default mqwebexternal.xml file to ephemeral volume
+	if *devFlag && os.Getenv("MQ_DEV") == "true" {
+		err = copy.CopyFile("/etc/mqm/web/installations/Installation1/servers/mqweb/mqwebexternal.xml.dev", "/run/mqwebexternal.xml")
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	} else {
+		err = copy.CopyFile("/etc/mqm/web/installations/Installation1/servers/mqweb/mqwebexternal.xml.default", "/run/mqwebexternal.xml")
+		if err != nil {
+			logTermination(err)
+			return err
+		}
 	}
 
 	// Copy default tls.xml file to ephemeral volume

cmd/runmqserver/webserver.go

@@ -20,7 +20,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strings"
 
 	"github.com/ibm-messaging/mq-container/internal/copy"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
@@ -61,84 +60,19 @@ func startWebServer(webKeystore, webkeystorePW, webTruststoreRef string) error {
 	return nil
 }
 
-func configureSSO(p12TrustStore tls.KeyStoreData, webKeystore string) (string, error) {
-	requiredEnvVars := []string{}
-	_, set := os.LookupEnv("MQ_ZEN_INTERNAL_ENDPOINT")
-	if !set {
-		// Ensure all required environment variables are set for SSO
-		requiredEnvVars = []string{
-			"MQ_OIDC_CLIENT_ID",
-			"MQ_OIDC_CLIENT_SECRET",
-			"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
-			"MQ_OIDC_AUTHORIZATION_ENDPOINT",
-			"MQ_OIDC_TOKEN_ENDPOINT",
-			"MQ_OIDC_JWK_ENDPOINT",
-			"MQ_OIDC_ISSUER_IDENTIFIER",
-		}
-	} else {
-		// Ensure all required environment variables are set for Zen SSO
-		requiredEnvVars = []string{
-			"MQ_ZEN_UNIQUE_USER_IDENTIFIER",
-			"MQ_ZEN_INTERNAL_ENDPOINT",
-			"MQ_ZEN_ISSUER_IDENTIFIER",
-			"MQ_ZEN_AUDIENCES",
-			"MQ_ZEN_CONTEXT_NAME",
-			"MQ_ZEN_BASE_URI",
-			"MQ_ZEN_CONTEXT_NAMESPACE",
-			"IAM_URL",
-		}
-	}
-	for _, envVar := range requiredEnvVars {
-		if len(os.Getenv(envVar)) == 0 {
-			return "", fmt.Errorf("%v must be set when MQ_BETA_ENABLE_SSO=true", envVar)
-		}
-	}
-
-	// Check mqweb directory exists
-	const mqwebDir string = "/etc/mqm/web/installations/Installation1/servers/mqweb"
-	_, err := os.Stat(mqwebDir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return "", nil
-		}
-		return "", err
-	}
-
-	const mqwebuserLink string = "/run/mqwebuser.xml"
-	const mqwebuserTemplate string = mqwebDir + "/mqwebuser.xml.tpl"
-
-	// Process SSO template for generating file mqwebuser.xml
-	adminUsers := strings.Split(os.Getenv("MQ_WEB_ADMIN_USERS"), "\n")
-	err = mqtemplate.ProcessTemplateFile(mqwebuserTemplate, mqwebuserLink, map[string][]string{"AdminUser": adminUsers}, log)
-	if err != nil {
-		return "", err
-	}
-
-	// Configure SSO TLS
-	return tls.ConfigureWebKeystore(p12TrustStore, webKeystore)
-}
-
 func configureWebServer(keyLabel string, p12Truststore tls.KeyStoreData) (string, error) {
-	var webKeystore string
 
-	// Configure TLS for Web Console first if we have a certificate to use
+	webKeystore := ""
+
+	// Configure TLS for the Web Console
 	err := tls.ConfigureWebTLS(keyLabel, log)
 	if err != nil {
 		return "", err
 	}
-	if keyLabel != "" {
-		webKeystore = keyLabel + ".p12"
-	}
 
-	// Configure Single-Sign-On for the web server (if enabled)
-	enableSSO := os.Getenv("MQ_BETA_ENABLE_SSO")
-	if enableSSO == "true" || enableSSO == "1" {
-		webKeystore, err = configureSSO(p12Truststore, webKeystore)
-		if err != nil {
-			return "", err
-		}
-	} else if keyLabel == "" && os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") != "" {
-		webKeystore, err = tls.ConfigureWebKeystore(p12Truststore, webKeystore)
+	// Configure the Web Keystore
+	if keyLabel != "" || os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME") != "" {
+		webKeystore, err = tls.ConfigureWebKeystore(p12Truststore, keyLabel)
 		if err != nil {
 			return "", err
 		}

incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebuser.xml.default renamed to incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebexternal.xml.dev

@@ -48,16 +48,20 @@ func ConfigureWebTLS(keyLabel string, log *logger.Logger) error {
 }
 
 // ConfigureWebKeyStore configures the Web Keystore
-func ConfigureWebKeystore(p12Truststore KeyStoreData, webKeystore string) (string, error) {
+func ConfigureWebKeystore(p12Truststore KeyStoreData, keyLabel string) (string, error) {
 
-	if webKeystore == "" {
-		webKeystore = webKeystoreDefault
+	webKeystore := webKeystoreDefault
+	if keyLabel != "" {
+		webKeystore = keyLabel + ".p12"
 	}
 	webKeystoreFile := filepath.Join(keystoreDirDefault, webKeystore)
 
 	// Check if a new self-signed certificate should be generated
-	genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
-	if genHostName != "" {
+	if keyLabel == "" {
+
+		// Get hostname to use for self-signed certificate
+		genHostName := os.Getenv("MQ_GENERATE_CERTIFICATE_HOSTNAME")
+
 		// Create the Web Keystore
 		newWebKeystore := keystore.NewPKCS12KeyStore(webKeystoreFile, p12Truststore.Password)
 		err := newWebKeystore.Create()

internal/tls/tls_web.go

@@ -69,9 +69,12 @@ sed -i 's/password\t\[success=1 default=ignore\]\tpam_unix\.so obscure sha512/pa
 $RPM && (rpm -q --all | sort) || true
 $UBUNTU && (dpkg --list | sort) || true
 
-#Update the license file to include UBI 8 instead of UBI 7
+# Update the license file to include UBI 8 instead of UBI 7
 sed -i 's/v7.0/v8.0/g' /opt/mqm/licenses/non_ibm_license.txt
 
 # Copy MQ Licenses into the correct location
 mkdir -p /licenses
 cp /opt/mqm/licenses/*.txt /licenses/
+
+# Update server.xml to include mqwebexternal.xml
+sed -i 's|<include location="mqwebuser.xml"/>|<include location="mqwebexternal.xml"/>\n    <include location="mqwebuser.xml"/>|' /opt/mqm/samp/web/server.xml

setup-image.sh

@@ -172,7 +172,6 @@ func TestDevConfigDisabled(t *testing.T) {
 	id := runContainerWithPorts(t, cli, &containerConfig, []int{9443})
 	defer cleanContainer(t, cli, id)
 	waitForReady(t, cli, id)
-	waitForWebReady(t, cli, id, insecureTLSConfig)
 	rc, _ := execContainer(t, cli, id, "", []string{"bash", "-c", "echo 'display qlocal(DEV*)' | runmqsc"})
 	if rc == 0 {
 		t.Errorf("Expected DEV queues to be missing")

test/container/devconfig_test.go

@@ -1874,7 +1874,7 @@ func TestReadOnlyRootFilesystem(t *testing.T) {
 
 	messageToSearch := "read-only file system"
 	l := inspectLogs(t, cli, ctrID)
-	if !strings.Contains(l, messageToSearch) {
+	if !strings.Contains(strings.ToLower(l), messageToSearch) {
 		t.Fatalf("Expected 'read-only file system' in the logs but was not found. The output was: %s", l)
 	}
 }
@@ -1947,8 +1947,8 @@ func TestRORFSVerifySymLinks(t *testing.T) {
 		symLinkName string
 	}{
 		{
-			origin:      "/etc/mqm/web/installations/Installation1/servers/mqweb/mqwebuser.xml",
-			symLinkName: "-> /run/mqwebuser.xml",
+			origin:      "/etc/mqm/web/installations/Installation1/servers/mqweb/mqwebexternal.xml",
+			symLinkName: "-> /run/mqwebexternal.xml",
 		},
 		{
 			origin:      "/etc/mqm/web/installations/Installation1/servers/mqweb/tls.xml",

test/container/docker_api_test.go

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<server>
+    <featureManager>
+        <feature>appSecurity-2.0</feature>
+    </featureManager>
+    <variable name="httpHost" value="*"/>
+    <variable name="managementMode" value="externallyprovisioned"/>
+    <variable name="mqConsoleRemoteSupportEnabled" value="false"/>
+    <variable name="mqConsoleEnableUnsafeInline" value="true"/>
+    <jndiEntry jndiName="mqConsoleDefaultCCDTHostname" value="${env.MQ_CONSOLE_DEFAULT_CCDT_HOSTNAME}"/>
+    <jndiEntry jndiName="mqConsoleDefaultCCDTPort" value="${env.MQ_CONSOLE_DEFAULT_CCDT_PORT}"/>
+    <include location="tls.xml"/>
+</server>

web/installations/Installation1/servers/mqweb/mqwebexternal.xml.default

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<server></server>